[go: up one dir, main page]

WO2009112367A1 - Procédé et dispositif de protection contre les attaques sur des systèmes dotés d’une fonction plug & play - Google Patents

Procédé et dispositif de protection contre les attaques sur des systèmes dotés d’une fonction plug & play Download PDF

Info

Publication number
WO2009112367A1
WO2009112367A1 PCT/EP2009/052233 EP2009052233W WO2009112367A1 WO 2009112367 A1 WO2009112367 A1 WO 2009112367A1 EP 2009052233 W EP2009052233 W EP 2009052233W WO 2009112367 A1 WO2009112367 A1 WO 2009112367A1
Authority
WO
WIPO (PCT)
Prior art keywords
interface
driver
computer system
service
mode
Prior art date
Application number
PCT/EP2009/052233
Other languages
German (de)
English (en)
Inventor
Carsten Von Der Lippe
Bernd Richter
Original Assignee
Wincor Nixdorf International Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wincor Nixdorf International Gmbh filed Critical Wincor Nixdorf International Gmbh
Priority to EP09721110.6A priority Critical patent/EP2257903B1/fr
Priority to US12/919,620 priority patent/US8418248B2/en
Priority to CN200980106736.4A priority patent/CN101965571B/zh
Publication of WO2009112367A1 publication Critical patent/WO2009112367A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Definitions

  • the invention relates to a method for detecting attacks on at least one interface of a computer system, in particular an attack on plug and play interfaces.
  • a typical attack scenario of today is the compromising of a PC through the use of plug & play mechanisms, such as the export of code by AutoPlay functions after plugging in a USB memory stick. Protection against such attacks is also increasingly demanded in the self-service environment.
  • the problem is, however, that as a precautionary measure, all Plug & Play functionality may not be blocked because it also limits the required functionality of a ATM (cash dispenser). Solutions that, for example, do not allow the detection and processing of external devices at the USB driver level if they are not entered in white lists (eg the PSD 5-treated USB filter driver), are not fully effective not a complete solution Review the order
  • Object of the present invention is to increase the security of a computer system, in particular the prevention of attacks on self-service machines, such as ATMs
  • the object is achieved by a method for detecting attacks on at least one interface of a computer system, preferably a self-service machine, which continuously monitors the interface in order to detect changes to the interface.
  • the monitoring may be interrupt driven, via driver data messages, or a policy oriented approach.
  • the interrupt can be triggered both on the hardware side as well as on the software side by a process when data arrives at or is sent by the interface.
  • data messages may be provided by other software layers, which are then provided by inter-process communication. In one possible embodiment, modified or additional drivers are used.
  • Changes are usually an unusual traffic. Unusual traffic is very likely to occur when logging in and out of a device at the interface. Also, changed communication protocols are suspected. Furthermore, the content of the data may be unusual if the type of data does not match the type of the connected device. That's one bJock oriented traffic (eg hard drive, USB stick) for a character-oriented device, such As a keyboard, unusual. For example, As a USB stick as a keyboard to a USB interface, so this is unusual. If the probability of an attack is above a defined threshold, defensive measures are initiated.
  • Unusual traffic is very likely to occur when logging in and out of a device at the interface.
  • changed communication protocols are suspected.
  • the content of the data may be unusual if the type of data does not match the type of the connected device. That's one bJock oriented traffic (eg hard drive, USB stick) for a character-oriented device, such As a keyboard, unusual. For example, As a USB stick as a keyboard to a USB interface
  • the list of connected devices is monitored by means of a set of rules. If it is determined that the likelihood of an attack is above a defined threshold, a log entry for a post-mortem diagnosis is made, a message is sent to a remote server, and the system is shut down with immediate effect to prevent the attack can show an effect. Furthermore, an immediate shutdown of the computer system is conceivable without the use of a remote server. Also, warning messages such as SMS, Email, SMTP can be sent to a target system or a target person. Other options include disabling the entire interface or just disabling the newly connected device. Furthermore, it is conceivable that the system switches to a security mode that allows no connection of devices and only by a Servicetechnxker switchable.
  • serial interface parallel interface
  • serial bus interface parallel bus interface
  • networks wireless network interface
  • optical network interface wired
  • the calculation of the probability takes into account one or more of the following events:
  • Serial number can be restricted based on lists / patterns.
  • Device classes or manufacturer / product combinations occur only as a limited number of devices in the system.
  • the number of devices allowed per class is determined by the hardware configuration and service strategy of the device.
  • USB devices z.
  • the device path of the "path" to the PC ie the port and the hubs, may also be connected to a device.
  • Devices from the service are z. B. often directly connected to the PC, whereas devices that have no special speed requirements, or require a long cable connection, often connected via hubs.
  • the current (local) time is another indication of whether plug and play activity is allowed or not. It is Z. For example, it is rare to assume that an authorized service activity occurs in the middle of the night. However, this criterion is also heavily dependent on the location of the computer system.
  • the probability of attack can be calculated using a scoring system.
  • a scoring system is particularly serious
  • driver for the interface.
  • the driver can have different shapes. He can on the one hand the
  • the standard bus driver is replaced by a modified driver, which in addition to the standard functionality aspects of the
  • Standard driver is used, so that the information that comes to the standard driver, filtered, forwarded. Also, an additional
  • Driver which is logically located above a standard driver, are used so that information is filtered forwarded to the system. Hiefur is a requirement that specific device drivers for each of the
  • Interface connected device can be used.
  • interrupt or PoIl-oriented In an alternative embodiment, interrupt or PoIl-oriented. a software process controlled, the ] Ontmuierlich monitors traffic on the interface to detektieien a unerlaub t s attack
  • the monitor instance installed on the system monitors which devices are connected to Plug & Play compatible ports.
  • the abovementioned scoring system and the actions derived from it should be configurable, preferably remotely, to another system to which there is a network connection.
  • these individual scoring criteria are not individually calculated and combined, but linked together. For example, the criterion “(temporal) coincidence of detection and removal” with “device path” to determine that a device was replaced on the front or back side.
  • FIG. 1 shows a drive scheme for a standard keyboard driver
  • USB driver stack USB driver stack
  • Fig. 3 shows a driver scheme with a driver below the USBD driver.
  • Fig. 4 shows a driver scheme with a driver above the USBD driver, which is designed as a modified keyboard driver.
  • FIG. 1 shows a layer layout of a driver model, as used in the Windows operating system. As the lowest
  • Layer is to look at the hardware 7, which is designed in the present case as a keyboard. On it is the physical
  • USB bus 6 is formed, which consists of a cable and a USB
  • the UHCD driver 4 and the OHCD driver 6 stand for different USB chip implementations from different manufacturers, such as Intel or VIA. On it the general USBD driver 2 of the operating system is arranged.
  • the mentioned 3 drivers form the USB-Driver-Stack 8. Since a large number of devices can be connected to a single USB bus, the drivers of the individual devices connect to the USB driver stack 8 and register with it. The driver stack then sends the information to the corresponding device driver 1 according to the identification of the data obtained via the bus.
  • FIG. 2 now shows an alternative embodiment in which the USBD driver 2a has been modified.
  • FIG. 3 shows an alternative embodiment in which the modified drivers are located below the USBD driver.
  • the OHCD driver 3a and the UHCD driver 4a have been modified here.
  • FIG. 4 shows a modified keyboard driver Ia.
  • modified drivers are available for all possible devices.
  • USBD driver (bus driver) 2a modified USBD driver 3 OHCD driver
  • USB bus universal serial bus

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

L’invention concerne un procédé de détection des attaques sur au moins une interface d’un système informatique, notamment un automate en libre-service, comprenant la surveillance de l’interface afin de déterminer les modifications survenues sur l’interface. Lorsque des modifications se produisent, la probabilité d’une action non autorisée sur l’interface est déterminée au moyen de la nature de la modification. Des mesures de protection sont entreprises si la probabilité est supérieure à une valeur de seuil donnée.
PCT/EP2009/052233 2008-03-11 2009-02-25 Procédé et dispositif de protection contre les attaques sur des systèmes dotés d’une fonction plug & play WO2009112367A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP09721110.6A EP2257903B1 (fr) 2008-03-11 2009-02-25 Procédé et dispositif de protection contre les attaques sur des systèmes dotés d une fonction plug&play
US12/919,620 US8418248B2 (en) 2008-03-11 2009-02-25 Method and device for defending against attacks to systems comprising a plug and play function
CN200980106736.4A CN101965571B (zh) 2008-03-11 2009-02-25 用于防御对具有即插即用功能的系统的攻击的方法和设备

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102008013634.4 2008-03-11
DE102008013634A DE102008013634A1 (de) 2008-03-11 2008-03-11 Verfahren und Vorrichtung zur Abwehr von Angriffen auf Systeme mit einer Plug & Play Funktion

Publications (1)

Publication Number Publication Date
WO2009112367A1 true WO2009112367A1 (fr) 2009-09-17

Family

ID=40679365

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/052233 WO2009112367A1 (fr) 2008-03-11 2009-02-25 Procédé et dispositif de protection contre les attaques sur des systèmes dotés d’une fonction plug & play

Country Status (4)

Country Link
US (1) US8418248B2 (fr)
EP (1) EP2257903B1 (fr)
DE (1) DE102008013634A1 (fr)
WO (1) WO2009112367A1 (fr)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102008013634A1 (de) * 2008-03-11 2009-09-17 Wincor Nixdorf International Gmbh Verfahren und Vorrichtung zur Abwehr von Angriffen auf Systeme mit einer Plug & Play Funktion
EP2821976B1 (fr) * 2013-07-01 2020-04-29 Wincor Nixdorf International GmbH Procédé et dispositif d'enregistrement d'événements dans des automates de libre-service
US9311473B2 (en) * 2014-02-28 2016-04-12 Ncr Corporation Unattended secure device authorization
US9613586B2 (en) 2014-12-23 2017-04-04 Roku, Inc. Providing a representation for a device connected to a display device
US10452459B2 (en) 2016-12-09 2019-10-22 Microsoft Technology Licensing, Llc Device driver telemetry
US10467082B2 (en) * 2016-12-09 2019-11-05 Microsoft Technology Licensing, Llc Device driver verification

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998055912A1 (fr) * 1997-06-04 1998-12-10 Spyrus, Inc. Dispositif cryptographique modulaire
EP1248179A1 (fr) * 2001-04-03 2002-10-09 Hewlett-Packard Company Activation et désactivation sélective de périphériques connectés à un système USB
WO2005120006A1 (fr) * 2004-06-02 2005-12-15 Elisa Oyj Procede pour surveiller le fonctionnement d'une carte a puce, carte a puce destinee a un terminal et systeme de protection contre l'intrusion
WO2006055420A2 (fr) * 2004-11-15 2006-05-26 Microsoft Corporation Mode pc special active lors de la detection d'un etat non voulu
DE102005008966A1 (de) * 2005-02-28 2006-08-31 Giesecke & Devrient Gmbh Zugriffskontrolle
EP1708114A2 (fr) * 2005-03-31 2006-10-04 Microsoft Corporation Regroupement de la base de connaissances de systèmes informatiques pour protéger de manière proactive un ordinateur contre les programmes malveillants
US20080022360A1 (en) * 2006-07-19 2008-01-24 Bacastow Steven V Method for securing and controlling USB ports

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030009676A1 (en) * 2001-07-09 2003-01-09 Cole Terry L. Peripheral device with secure driver
US8127356B2 (en) * 2003-08-27 2012-02-28 International Business Machines Corporation System, method and program product for detecting unknown computer attacks
US20070204173A1 (en) * 2006-02-15 2007-08-30 Wrg Services Inc. Central processing unit and encrypted pin pad for automated teller machines
FR2900298B1 (fr) * 2006-04-21 2014-11-21 Trusted Logic Systeme et procede securise de traitement de donnees entre un premier dispositif et au moins un second dispositif dispositif de moyens de surveillance
US20080016339A1 (en) * 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware
DE102008013634A1 (de) * 2008-03-11 2009-09-17 Wincor Nixdorf International Gmbh Verfahren und Vorrichtung zur Abwehr von Angriffen auf Systeme mit einer Plug & Play Funktion
US8251281B1 (en) * 2008-06-27 2012-08-28 Diebold Self-Service Systems Division Of Diebold, Incorporated Automated banking system controlled responsive to data bearing records
US8499346B2 (en) * 2009-12-18 2013-07-30 Ncr Corporation Secure authentication at a self-service terminal

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998055912A1 (fr) * 1997-06-04 1998-12-10 Spyrus, Inc. Dispositif cryptographique modulaire
EP1248179A1 (fr) * 2001-04-03 2002-10-09 Hewlett-Packard Company Activation et désactivation sélective de périphériques connectés à un système USB
WO2005120006A1 (fr) * 2004-06-02 2005-12-15 Elisa Oyj Procede pour surveiller le fonctionnement d'une carte a puce, carte a puce destinee a un terminal et systeme de protection contre l'intrusion
WO2006055420A2 (fr) * 2004-11-15 2006-05-26 Microsoft Corporation Mode pc special active lors de la detection d'un etat non voulu
DE102005008966A1 (de) * 2005-02-28 2006-08-31 Giesecke & Devrient Gmbh Zugriffskontrolle
EP1708114A2 (fr) * 2005-03-31 2006-10-04 Microsoft Corporation Regroupement de la base de connaissances de systèmes informatiques pour protéger de manière proactive un ordinateur contre les programmes malveillants
US20080022360A1 (en) * 2006-07-19 2008-01-24 Bacastow Steven V Method for securing and controlling USB ports

Also Published As

Publication number Publication date
EP2257903B1 (fr) 2016-05-11
US8418248B2 (en) 2013-04-09
US20100333202A1 (en) 2010-12-30
EP2257903A1 (fr) 2010-12-08
CN101965571A (zh) 2011-02-02
DE102008013634A1 (de) 2009-09-17

Similar Documents

Publication Publication Date Title
EP2257903B1 (fr) Procédé et dispositif de protection contre les attaques sur des systèmes dotés d une fonction plug&play
DE112012000772B4 (de) Anomalieerkennungssystem
JP2997692B2 (ja) 遊技場の管理システム
EP2840480B1 (fr) Dispositif de lecture de cartes à puce et/ou à bandes magnétiques doté d'un écran tactile pour la saisie d'un code PIN
DE112019006487B4 (de) Elektronische Steuereinheit, elektronisches Steuersystem und Programm
DE102008035103B4 (de) Schnittstellenüberwachungsvorrichtung, Verwendung in einem Computersystem und Verfahren zum Überwachen eines differenziellen Schnittstellenanschlusses
DE102007033346A1 (de) Verfahren und Vorrichtung zur Administration von Computern
DE112019000485T5 (de) System und verfahren zum bereitstellen der sicherheit für einfahrzeuginternes netzwerk
DE102010048352B3 (de) Schnittstellenüberwachungsvorrichtung für einen Schnittstellenanschluss und Verwendung einer Schnittstellenüberwachungsvorrichtung
DE102021105413A1 (de) Gesundheitsinformationen verarbeiten, um festzustellen, ob eine anomalie aufgetreten ist
EP4187417A1 (fr) Détection d'un écart d'un état de sécurité d'un dispositif informatique à partir d'un état de sécurité théorique
EP1698990B1 (fr) Système informatique pourvu d'un dispositif d'interface
CN106130986A (zh) 一种基于自动化决策的风电场主动安全防御方法
DE102016221378A1 (de) Verfahren zum Übertragen von Daten
DE102007024720B4 (de) Vorrichtung und Verfahren zum Schutz eines medizinischen Geräts und eines von diesem Gerät behandelten Patienten vor gefährdenden Einflüssen aus einem Kommunikationsnetzwerk
CN105201808B (zh) 一种泵控制器、plc平台及海水淡化装置
CN106250764A (zh) 一种计算机终端控制系统
EP2455925B1 (fr) Procédé et dispositif de défense contre les tentatives de manipulation sur un système de caméra
CN106948077A (zh) 一种易查看和操作的电脑横机监控显示系统
EP2821976B1 (fr) Procédé et dispositif d'enregistrement d'événements dans des automates de libre-service
DE102012224255A1 (de) Werkssicherheits-Verwaltungsvorrichtung, Verwaltungsverfahren und Verwaltungsprogramm
DE102006006438A1 (de) Verfahren zur sicheren Übertragung von Betriebsdaten
CN104914821B (zh) 化工装置精馏系统开车时的报警方法
EP4567601A1 (fr) Composant de tolérance aux pannes pour commander l'activité d'un composant de système
CN117354027A (zh) 基于泛终端的入网感知及自动化响应处置方法及处置装置

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200980106736.4

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09721110

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2009721110

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 12919620

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE